crypt::smbhash(3pm) [debian man page]

SmbHash(3pm)						User Contributed Perl Documentation					      SmbHash(3pm)

NAME

       Crypt::SmbHash - Perl-only implementation of lanman and nt md4 hash functions, for use in Samba style smbpasswd entries

SYNOPSIS

	 use Crypt::SmbHash;

	 ntlmgen SCALAR, LMSCALAR, NTSCALAR;

DESCRIPTION

       This module generates Lanman and NT MD4 style password hashes, using perl-only code for portability. The module aids in the administration
       of Samba style systems.

       In the Samba distribution, authentication is referred to a private smbpasswd file. Entries have similar forms to the following:

       username:unixuid:LM:NT

       Where LM and NT are one-way password hashes of the same password.

       ntlmgen generates the hashes given in the first argument, and places the result in the second and third arguments.

       Example: To generate a smbpasswd entry:

	  #!/usr/local/bin/perl
	  use Crypt::SmbHash;
	  $username = $ARGV[0];
	  $password = $ARGV[1];
	  if ( !$password ) {
		  print "Not enough arguments
";
		  print "Usage: $0 username password
";
		  exit 1;
	  }
	  $uid = (getpwnam($username))[2];
	  my ($login,undef,$uid) = getpwnam($ARGV[0]);
	  ntlmgen $password, $lm, $nt;
	  printf "%s:%d:%s:%s:[%-11s]:LCT-%08X
", $login, $uid, $lm, $nt, "U", time;

       ntlmgen returns returns the hash values in a list context, so the alternative method of using it is:

	  ( $lm, $nt ) = ntlmgen $password;

       The functions lmhash and nthash are used by ntlmgen to generate the hashes, and are available when requested:

	  use Crypt::SmbHash qw(lmhash nthash)
	  $lm = lmhash($pass);
	  $nt = nthash($pass);

       If Encoding is available (part of perl-5.8) the $pass argument to ntlmgen, lmhash and nthash must be a perl string. In double use this:

	  use Crypt::SmbHash qw(ntlmgen lmhash nthash);
	  use Encode;
	  ( $lm, $nt ) = ntlmgen decode('iso-8859-1', $pass);
	  $lm = lmhash(decode_utf8($pass), $pwenc);
	  $nt = nthash(decode_utf8($pass));

       The $pwenc parameter to lmhash() is optional and defaults to 'iso-8859-1'.  It specifies the encoding to which the password is encoded
       before hashing.

MD4
       The algorithm used in nthash requires the md4 algorithm. This algorithm is included in this module for completeness, but because it is
       written in all-perl code ( rather than in C ), it's not very quick.

       However if you have the Digest::MD4 module installed, Crypt::SmbHash will try to use that module instead, making it much faster.

       A simple test compared calling nthash without Digest::MD4 installed, and with, this showed that using nthash on a system with Digest::MD4
       installed proved to be over 90 times faster.

AUTHOR

       Ported from Samba by Benjamin Kuit <lt>bj@it.uts.edu.au<gt>.

       Samba is Copyright(C) Andrew Tridgell 1997-1998

       Because this module is a direct port of code within the Samba distribution, it follows the same license, that is:

	  This program is free software; you can redistribute it and/or modify
	  it under the terms of the GNU General Public License as published by
	  the Free Software Foundation; either version 2 of the License, or
	  (at your option) any later version.

	  This program is distributed in the hope that it will be useful,
	  but WITHOUT ANY WARRANTY; without even the implied warranty of
	  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.	See the
	  GNU General Public License for more details.

perl v5.10.0							    2005-09-24							      SmbHash(3pm)

SMBPASSWD(5)															      SMBPASSWD(5)

NAME

       smbpasswd - The Samba encrypted password file

SYNOPSIS

       smbpasswd

DESCRIPTION

       This tool is part of the  Samba suite.

       smbpasswd is the Samba encrypted password file. It contains the username, Unix user id and the SMB hashed passwords of the user, as well as
       account flag information and the time the password was last changed. This file format has been evolving with Samba and has had several dif-
       ferent formats in the past.

FILE FORMAT

       The  format of the smbpasswd file used by Samba 2.2 is very similar to the familiar Unix passwd(5) file. It is an ASCII file containing one
       line for each user. Each field within each line is separated from the next by a colon. Any entry beginning with '#' is  ignored.  The  smb-
       passwd file contains the following information for each user:

       name   This is the user name. It must be a name that already exists in the standard UNIX passwd file.

       uid    This  is the UNIX uid. It must match the uid field for the same user entry in the standard UNIX passwd file.  If this does not match
	      then Samba will refuse to recognize this smbpasswd file entry as being valid for a user.

       Lanman Password Hash
	      This is the LANMAN hash of the user's password, encoded as 32 hex digits. The LANMAN hash is created by DES encrypting a well  known
	      string  with  the user's password as the DES key. This is the same password used by Windows 95/98 machines.  Note that this password
	      hash is regarded as weak as it is vulnerable to dictionary attacks and if two users choose the same  password  this  entry  will	be
	      identical  (i.e.	the password is not "salted" as the UNIX password is). If the user has a null password this field will contain the
	      characters "NO PASSWORD" as the start of the hex string. If the hex string is equal to 32 'X' characters then the user's account	is
	      marked as disabled and the user will not be able to log onto the Samba server.

	      WARNING  !! Note that, due to the challenge-response nature of the SMB/CIFS authentication protocol, anyone with a knowledge of this
	      password hash will be able to impersonate the user on the network. For this reason these hashes are known as plain text  equivalents
	      and  must  NOT be made available to anyone but the root user. To protect these passwords the smbpasswd file is placed in a directory
	      with read and traverse access only to the root user and the smbpasswd file itself must be set to be read/write only by root, with no
	      other access.

       NT Password Hash
	      This  is	the  Windows NT hash of the user's password, encoded as 32 hex digits. The Windows NT hash is created by taking the user's
	      password as represented in 16-bit, little-endian UNICODE and then applying the MD4 (internet rfc1321) hashing algorithm to it.

	      This password hash is considered more secure than the LANMAN Password Hash as it preserves the case of the password and uses a  much
	      higher quality hashing algorithm.  However, it is still the case that if two users choose the same password this entry will be iden-
	      tical (i.e. the password is not "salted" as the UNIX password is).

	      WARNING !!. Note that, due to the challenge-response nature of the SMB/CIFS authentication protocol, anyone with a knowledge of this
	      password	hash will be able to impersonate the user on the network. For this reason these hashes are known as plain text equivalents
	      and must NOT be made available to anyone but the root user. To protect these passwords the smbpasswd file is placed in  a  directory
	      with read and traverse access only to the root user and the smbpasswd file itself must be set to be read/write only by root, with no
	      other access.

       Account Flags
	      This section contains flags that describe the attributes of the users account. In the Samba 2.2 release this field is  bracketed	by
	      '[' and ']' characters and is always 13 characters in length (including the '[' and ']' characters).  The contents of this field may
	      be any of the characters.

	      o U - This means this is a "User" account, i.e. an ordinary user. Only User and Workstation Trust accounts are  currently  supported
		in the smbpasswd file.

	      o N  -  This  means the account has no password (the passwords in the fields LANMAN Password Hash and NT Password Hash are ignored).
		Note that this will only allow users to log on with no password if the	null passwords parameter is set in the smb.conf(5)
		 config file.

	      o D - This means the account is disabled and no SMB/CIFS logins will be allowed for this user.

	      o W - This means this account is a "Workstation Trust" account. This kind of account is used in the Samba PDC code stream  to  allow
		Windows NT Workstations and Servers to join a Domain hosted by a Samba PDC.

       Other flags may be added as the code is extended in future.  The rest of this field space is filled in with spaces.

       Last Change Time
	      This  field  consists  of  the  time  the account was last modified. It consists of the characters 'LCT-' (standing for "Last Change
	      Time") followed by a numeric encoding of the UNIX time in seconds since the epoch (1970) that the last change was made.

       All other colon separated fields are ignored at this time.

VERSION

       This man page is correct for version 2.2 of the Samba suite.

SEE ALSO

       smbpasswd(8) samba(7) and the Internet RFC1321 for details on the MD4 algorithm.

AUTHOR

       The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the  Samba	Team  as  an  Open
       Source project similar to the way the Linux kernel is developed.

       The  original  Samba  man  pages were written by Karl Auer.  The man page sources were converted to YODL format (another excellent piece of
       Open Source software, available at ftp://ftp.icce.rug.nl/pub/unix/ <URL:ftp://ftp.icce.rug.nl/pub/unix/>) and updated  for  the	Samba  2.0
       release by Jeremy Allison. The conversion to DocBook for Samba 2.2 was done by Gerald Carter

								 19 November 2002						      SMBPASSWD(5)